asyncrat | ccfdb3b7aae8b9f7988244877cda82c24f2560577e1b22a5b56830cacd19ca80

Analysis

max time kernel
208s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomRAT v6.0.3/VenomRAT v6.0.3.exe
Size

14.3MB
MD5

674fb9de862cbbb47a6ab5a7adb91d7e
SHA1

5895e99a1cb66771735bb93d6fc85110d064ac88
SHA256

dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e
SHA512

444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602
SSDEEP

393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V

Score

10^/10

asyncrat xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:4444

heheyanel.ddns.net:4444

Attributes

Install_directory
%ProgramData%
install_file
Activator.exe
telegram
https://api.telegram.org/bot7427144754:AAHRLM93AsaKo2dFejmZxunuQW0uH41yfn0/sendMessage?chat_id=7294780361

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral26/files/0x001c00000002aae3-22.dat	family_xworm
behavioral26/memory/4720-25-0x0000000000350000-0x000000000036A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1012	powershell.exe
3168	powershell.exe
4392	powershell.exe
5064	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	venom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	venom.exe

Executes dropped EXE 5 IoCs

pid	Process
1252	Venom RAT + HVNC + Stealer + Grabber.exe
4720	venom.exe
1868	svchost
4028	svchost
828	svchost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost"	venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1012	powershell.exe
1012	powershell.exe
3168	powershell.exe
3168	powershell.exe
4392	powershell.exe
4392	powershell.exe
5064	powershell.exe
5064	powershell.exe
4720	venom.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	venom.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4720	venom.exe
Token: SeDebugPrivilege	1868	svchost
Token: SeDebugPrivilege	4028	svchost
Token: SeDebugPrivilege	828	svchost

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4720	venom.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1252	3308	VenomRAT v6.0.3.exe	78
PID 3308 wrote to memory of 1252	3308	VenomRAT v6.0.3.exe	78
PID 3308 wrote to memory of 4720	3308	VenomRAT v6.0.3.exe	79
PID 3308 wrote to memory of 4720	3308	VenomRAT v6.0.3.exe	79
PID 4720 wrote to memory of 1012	4720	venom.exe	84
PID 4720 wrote to memory of 1012	4720	venom.exe	84
PID 4720 wrote to memory of 3168	4720	venom.exe	86
PID 4720 wrote to memory of 3168	4720	venom.exe	86
PID 4720 wrote to memory of 4392	4720	venom.exe	88
PID 4720 wrote to memory of 4392	4720	venom.exe	88
PID 4720 wrote to memory of 5064	4720	venom.exe	90
PID 4720 wrote to memory of 5064	4720	venom.exe	90
PID 4720 wrote to memory of 4584	4720	venom.exe	92
PID 4720 wrote to memory of 4584	4720	venom.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\VenomRAT v6.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\VenomRAT v6.0.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
  "C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Users\Admin\AppData\Roaming\venom.exe
  "C:\Users\Admin\AppData\Roaming\venom.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\venom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'venom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4584

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\ProgramData\svchost
C:\ProgramData\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34e3230cb2131270db1af79fb3d57752

SHA1
21434dd7cf3c4624226b89f404fd7982825f8ac6

SHA256
0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39

SHA512
3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3q0upzg.pya.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

Filesize
14.2MB

MD5
3b3a304c6fc7a3a1d9390d7cbff56634

SHA1
e8bd5244e6362968f5017680da33f1e90ae63dd7

SHA256
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

SHA512
7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

Download Submit
C:\Users\Admin\AppData\Roaming\venom.exe

Filesize
81KB

MD5
ac5c47b2a86a3042f02e26a338e99466

SHA1
98e8c13d41179575145cdc800e603b467c2b18f1

SHA256
837d509ad49a587036361ee7fc30f5b18238bb98a310418298b5a6c1d350cb96

SHA512
8468268c03c0e286fdd767f961e90ade962ee46b8e12eddbb3204e77aa26475add2a8d8e61e6c8dd08952a0571942915b926192b34029155489813221d7135b3

Download Submit
memory/1012-38-0x00000206D34F0000-0x00000206D3512000-memory.dmp

Filesize
136KB

Download
memory/1252-29-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/1252-27-0x000001DA233F0000-0x000001DA24224000-memory.dmp

Filesize
14.2MB

Download
memory/1252-26-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/3308-0-0x00007FF9D6B73000-0x00007FF9D6B75000-memory.dmp

Filesize
8KB

Download
memory/3308-1-0x0000000000F10000-0x0000000001D5E000-memory.dmp

Filesize
14.3MB

Download
memory/4720-28-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/4720-25-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/4720-75-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download